sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added passwds to config & updated bootstrap script

This commit is contained in:
Sam 2024-05-21 19:11:23 +01:00
parent 2d3398b217
commit 0178448748
10 changed files with 161 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
flake.lock
View File

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715872464, "lastModified": 1716168343,
"narHash": "sha256-mkZ3hrPG7d+qL7B6pQcrNfPh2mnQEJR3FHK93qCp6Uk=", "narHash": "sha256-82oT27w9smpItZ+PyN2C0PjIwZYbIocwXSM4u1igXuc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "5f6dbcce99d60dd77f96dfc66d06bbea149a40e1", "rev": "6f01b9710bc4d3bf006eb8df928b4b15e0430901",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -27,11 +27,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715486357, "lastModified": 1715930644,
"narHash": "sha256-4pRuzsHZOW5W4CsXI9uhKtiJeQSUoe1d2M9mWU98HC4=", "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "44677a1c96810a8e8c4ffaeaad10c842402647c1", "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -58,11 +58,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1716153530, "lastModified": 1716313798,
"narHash": "sha256-riMwDwr4q5XbaE/Vd7FrYOrf9huJznTIPwemUqBPljw=", "narHash": "sha256-XQnaNbpCxUo97c64IBbrbSKAA5FJb6FTyylPFRp/ZyY=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "80e1cc126aeaaf1244b713407f12d69aa255b57d", "rev": "6f2eb80d6a641515e205fd7df615453567ad9ffe",
"revCount": 17, "revCount": 20,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -85,11 +85,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1715458492, "lastModified": 1716061101,
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=", "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8e47858badee5594292921c2668c11004c3b0142", "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -101,11 +101,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1715787315, "lastModified": 1716137900,
"narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=", "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5", "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -134,11 +134,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1715482972, "lastModified": 1716244104,
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=", "narHash": "sha256-XXbqfkyWe0d0O+zqRQWi2oXi6wYDmTzXedFkBRwx1VI=",
"owner": "mic92", "owner": "mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e", "rev": "fddd52460e3332eedd8a0043af5675338a5b3e0b",
"type": "github" "type": "github"
}, },
"original": { "original": {

10
home/common/optional/sops.nix
View File

@ -12,18 +12,10 @@ in
]; ];
sops = { sops = {
age.sshKeyPaths = ["${homeDirectory}/.ssh/ssh_host_ed25519_key"]; age.sshKeyPaths = ["${homeDirectory}/.ssh/id_ed25519"];
defaultSopsFile = "${secretsFile}"; defaultSopsFile = "${secretsFile}";
validateSopsFiles = false; validateSopsFiles = false;
secrets = {
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
path = "${homeDirectory}/.ssh/ssh_host_ed25519_key";
};
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
path = "${homeDirectory}/.ssh/ssh_host_ed25519_key.pub";
};
};
}; };
} }

15
hosts/common/core/default.nix
View File

@ -1,4 +1,8 @@
{pkgs, ...}: { {pkgs, lib, inputs, config, ...}:
let
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
in
{
imports = [ imports = [
./sops.nix ./sops.nix
./locale.nix ./locale.nix
@ -12,4 +16,13 @@
pkgs.neovim pkgs.neovim
]; ];
users = {
mutableUsers = true;
extraUsers = {
root = {
hashedPasswordFile = sopsHashedPasswordFile;
};
};
};
} }

10
hosts/common/core/sops.nix
View File

@ -1,8 +1,8 @@
{ pkgs, inputs, config, configVars, ... }: { pkgs, inputs, config, ... }:
let let
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = "/home/${configVars.username}"; hostname = config.networking.hostName;
in in
{ {
imports = [ imports = [
@ -15,8 +15,10 @@ in
age = { age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt"; };
generateKey = true; secrets = {
"passwords/root".neededForUsers = true;
"passwords/sam".neededForUsers = true;
}; };
}; };
} }

5
hosts/common/optional/openssh/default.nix → hosts/common/optional/openssh.nix
View File

@ -7,7 +7,7 @@ in
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [ sshPort ]; ports = [ sshPort ];
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/default"];
settings = { settings = {
# Harden # Harden
PasswordAuthentication = true; PasswordAuthentication = true;
@ -15,7 +15,8 @@ in
# Automatically remove stale sockets # Automatically remove stale sockets
StreamLocalBindUnlink = "yes"; StreamLocalBindUnlink = "yes";
}; };
}; };
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
} }

8
hosts/common/users/sam/default.nix
View File

@ -1,14 +1,16 @@
{ pkgs, inputs, config, lib, ... }: { pkgs, inputs, config, lib, ... }:
let let
pubKeys = lib.filesystem.listFilesRecursive (../keys);
hostname = config.networking.hostName; hostname = config.networking.hostName;
pubKeys = lib.filesystem.listFilesRecursive (../keys);
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/sam".path;
in in
{ {
users.users.sam = { users.users.sam = {
#mutableUsers = false;
isNormalUser = true; isNormalUser = true;
#password = "nixos"; # Overridden if sops is working
shell = pkgs.zsh; # default shell shell = pkgs.zsh; # default shell
hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ extraGroups = [

2
hosts/nixdev/default.nix
View File

@ -11,7 +11,7 @@
../common/optional/pipewire.nix ../common/optional/pipewire.nix
../common/optional/hyprland.nix ../common/optional/hyprland.nix
../common/optional/displayManager/sddm.nix ../common/optional/displayManager/sddm.nix
../common/optional/openssh ../common/optional/openssh.nix
# Create users for this host # Create users for this host
../common/users/sam ../common/users/sam

11
hosts/sparky/default.nix
View File

@ -1,5 +1,4 @@
{ inputs, config, lib, pkgs, outputs,... }: { inputs, config, lib, pkgs, outputs,... }:
{ {
imports = imports =
[ [
@ -13,6 +12,9 @@
./hardware-configuration.nix ./hardware-configuration.nix
../common/core ../common/core
# Import optional options
../common/optional/openssh.nix
# Create users for this host # Create users for this host
../common/users/media ../common/users/media
@ -34,6 +36,7 @@
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/etc/nixos" "/etc/nixos"
"/etc/ssh"
"/var/log" "/var/log"
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
@ -70,12 +73,6 @@
services = { services = {
qemuGuest.enable = true; qemuGuest.enable = true;
openssh = {
enable = true;
ports = [22]; # FIXME: Make this use configVars.networking
settings.PermitRootLogin = "yes";
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
};
}; };
services.libinput.enable = true; services.libinput.enable = true;
services.displayManager.defaultSession = "cinnamon"; services.displayManager.defaultSession = "cinnamon";

80
scripts/bootstrap.sh
View File

@ -19,38 +19,47 @@ read -p "Enter username: " username
read -p "Enter ip address: " ip read -p "Enter ip address: " ip
read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
echo "
Details entered:
Hostname: $hostname
Username: $username
IP address: $ip
System to build: $config
"
read -p "Is this correct? (yes|no): " check_details
[ "$check_details" != "yes" ] && echo "Try again. Exiting" && exit 0
# Generate key name and dir # Generate key name and dir
KEY_DIR="$HOME/keys/$hostname/" HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
mkdir -p $KEY_DIR USER_KEY_DIR="$HOME/keys/users/$username"
KEY_NAME="$username@$hostname-ssh-ed25519" mkdir -p "$HOST_KEY_DIR" "$USER_KEY_DIR"
# Create ssh keys if not exists
echo "Creating '$hostname' ssh keys"
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname"
echo "Creating '$username' ssh keys"
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "user" --username "$username" --hostname "$hostname"
# Delete key in known hosts if exists # Delete key in known hosts if exists
confirm_delete="" sed -i "/$ip/d" ~/.ssh/known_hosts
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
# Generate new keys for target host if not exists
echo "Creating ssh keys for new host."
overwrite=""
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite
[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
# Authorise source public key # Authorise source public key
echo "Copying pubkey to target host" echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "root@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Generate age key from target host public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host ssh key" echo "Generating age key from target host and user ssh key"
nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname" nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key"
[ $? != 0 ] && echo "Error generating age key" && exit 1 nix-shell -p ssh-to-age --run "cat $USER_KEY_DIR/id_ed25519.pub | ssh-to-age > $USER_KEY_DIR/age_user_key"
AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname") HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key")
echo -e "Age key:\n$AGE_KEY\n" USER_AGE_KEY=$(cat "$USER_KEY_DIR/age_user_key")
echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later." echo -e "Host age key:\n$HOST_AGE_KEY\n"
echo -e "User age key:\n$USER_AGE_KEY\n"
echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."
# Install Nixos to target # Install Nixos to target
cd "$HOME/nixos" cd "$HOME/nixos"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$HOME/.ssh/ssh_host_ed25519_key" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts
@ -73,15 +82,19 @@ echo "$ip is now online and port 22 is open!"
# Authorise source public key # Authorise source public key
echo "Copying pubkey to target host" echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "$username@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$username@$ip"
# Copy host ssh keys to target & delete key in known hosts (because of key change)
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key" "root@$ip:/etc/ssh/ssh_host_ed25519_key" && sed -i "/$ip/d" ~/.ssh/known_hosts
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
# Copy user ssh keys to target
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519_key" "$username@$ip:~/.ssh/id_ed25519"
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519_key.pub" "$username@$ip~/.ssh/id_ed25519.pub"
# Copy deploy_key to target for personal repo authorisation # Copy deploy_key to target for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "media@$ip:~/.ssh/deploy_key-ssh-ed25519" scp -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "media@$ip:~/.ssh/deploy_key-ssh-ed25519.pub" scp -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
# Copy previously generated ssh keys
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME" "media@$ip:~/.ssh/ssh_host_ed25519_key"
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME.pub" "media@$ip:~/.ssh/ssh_host_ed25519_key.pub"
echo "Configuring target host ssh connection to enable connection to gitea repos:" echo "Configuring target host ssh connection to enable connection to gitea repos:"
read -r -d '' config << EOM read -r -d '' config << EOM
@ -101,13 +114,16 @@ previously.
Enter the details as following: Enter the details as following:
keys: keys:
- &users:
- &$username $USER_AGE_KEY
- &hosts: - &hosts:
- &$hostname $AGE_KEY - &$hostname $HOST_AGE_KEY
creation_rules: creation_rules:
- path_regex: secrets.yaml$ - path_regex: secrets.yaml$
key_groups: key_groups:
- age: - age:
- *$username
- *$hostname - *$hostname
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run: Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
@ -128,8 +144,8 @@ do
[ "$confirm" = "yes" ] && break [ "$confirm" = "yes" ] && break
done done
ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'" ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'" ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
echo "Successfully installed Nixos on the target host!" echo "Successfully installed Nixos on the target host!"
echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'" echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"

60
scripts/generate_ssh_keys.sh Executable file
View File

@ -0,0 +1,60 @@
#!/usr/bin/env bash
#
# usage: ./generate_ssh_keys.sh --type "host" --username "root" --hostname "hostname"
#
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
--type)
type="$2"
shift # past argument
shift # past value
;;
--username)
username="$2"
shift # past argument
shift # past value
;;
--hostname)
hostname="$2"
shift # past argument
shift # past value
;;
*) # unknown option
echo "Unknown option $1"
exit 1
;;
esac
done
if [[ -z "$type" || -z "$username" || -z "$hostname" ]]; then
echo "All arguments are not specified."
exit 1
fi
if [[ $type != "user" && $type != "host" ]]; then
echo "Invalid type. It should be either 'user' or 'host'"
exit 1
fi
HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
USER_KEY_DIR="$HOME/keys/users/$username"
mkdir -p "$HOST_KEY_DIR" "$USER_KEY_DIR"
if [[ $type == "user" ]]; then
keyfile="id_ed25519"
name="$username"
else
keyfile="ssh_host_ed25519_key"
name="root@$hostname"
fi
keydir=$([[ $type == "user" ]] && echo "$USER_KEY_DIR" || echo "$HOST_KEY_DIR")
fullpath="$keydir/$keyfile"
overwrite=""
[ -f "$fullpath" ] && read -p "Target key '$fullpath' already exists, would you like to overwrite it? (yes|no) " overwrite
[ "$overwrite" = "yes" ] || [ -z "$overwrite" ] && ssh-keygen -t ed25519 -f "$fullpath" -C "$name" -N ""